CVE-2026-8192
published 2026-05-09CVE-2026-8192: A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.84%
90.9th percentile
A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elysiajs | elysia | >= 0 < 1.4.26 | 1.4.26 |
| wavlink | nu516u1 | — | — |
| wavlink | wl-nu516u1_firmware | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
ghsa·2026-06-25
CVE-2026-48504 [MEDIUM] CWE-770 opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
opentelemetry_sdk has unbounded memory allocation in W3C Baggage propagation
## Summary
`BaggagePropagator::extract_with_context` in `opentelemetry_sdk` did not enforce the W3C Baggage size limits before parsing an inbound `baggage` header. A large attacker-controlled header could cause unnecessary CPU work and short-lived heap allocations while parsing entries that would later be discarded by the SDK's baggage storage limits.
The SDK now applies limits aligned with the W3C Baggage limits:
- 64 list-members
- 8192 bytes total
## Impact
Services that accept untrusted inbound propagation headers may experience increased per-request resource usage when processing oversized `baggage` headers. This can contribute to denial-of-service risk, especially when application or transport-level he
GHSA
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
ghsa·2026-06-08
CVE-2026-44892 [HIGH] CWE-1188 Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
### Summary
The default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`.
### Details
Netty securely limits header sizes for older protocols. In HTTP/1.1, Netty strictly enforces an `8192`-byte limit out-of-the-box via `HttpObjectDecoder`. For HTTP/2, while RFC 9113 specifies that `SETTINGS_MAX_HEADE
GHSA
GHSA-xgwq-r73w-qq4g: A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425
ghsa_unreviewed·2026-05-09
CVE-2026-8192 [LOW] CWE-77 GHSA-xgwq-r73w-qq4g: A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425
A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
VulDB
Wavlink NU516U1 M16U1_V240425 /cgi-bin/adm.cgi wzdap os command injection
vuldb·2026-05-08·CVSS 2.1
CVE-2026-8192 [LOW] Wavlink NU516U1 M16U1_V240425 /cgi-bin/adm.cgi wzdap os command injection
A vulnerability identified as critical has been detected in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection.
This vulnerability was named CVE-2026-8192. The attack may be initiated remotely. In addition, an exploit is available.
The vendor was contacted early about this disclosure.
GHSA
Elysia has a string URL format ReDoS
ghsa·2026-03-10
CVE-2026-30837 [HIGH] CWE-1333 Elysia has a string URL format ReDoS
Elysia has a string URL format ReDoS
### Impact
`t.String({ format: 'url' })` is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
```js
'http://a'.repeat(n)
```
Here's a table demonstrating how long it takes to process repeated partial url format
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
### Patches
Patched by 1.4.26, please kindly update `elysia` to >= 1.4.26
Here's how long it takes after the patch
| `n` repeat | elapsed_ms |
| --- | --- |
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
### Workarounds
1. It's recommended to always
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
vendor_redhat·2026-05-22·CVSS 7.5
CVE-2026-39829 [HIGH] CWE-1284 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or
Red Hat
kernel: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
vendor_redhat·2026-03-25
CVE-2026-23390 CWE-131 kernel: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
kernel: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
In the Linux kernel, the following vulnerability has been resolved:
tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
The dma_map_sg tracepoint can trigger a perf buffer overflow when
tracing large scatter-gather lists. With devices like virtio-gpu
creating large DRM buffers, nents can exceed 1000 entries, resulting
in:
phys_addrs: 1000 * 8 bytes = 8,000 bytes
dma_addrs: 1000 * 8 bytes = 8,000 bytes
lengths: 1000 * 4 bytes = 4,000 bytes
Total: ~20,000 bytes
This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:
WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405
perf buffer not large enough, wanted 24620, have 8192
Cap all three dynamic arrays at 128 entries using min() in
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45961 kernel: gfs2: fix memory leaks in gfs2_fill_super error path
bugzilla·2026-05-27
CVE-2026-45961 [LOW] CVE-2026-45961 kernel: gfs2: fix memory leaks in gfs2_fill_super error path
CVE-2026-45961 kernel: gfs2: fix memory leaks in gfs2_fill_super error path
In the Linux kernel, the following vulnerability has been resolved:
gfs2: fix memory leaks in gfs2_fill_super error path
Fix two memory leaks in the gfs2_fill_super() error handling path when
transitioning a filesystem to read-write mode fails.
First leak: kthread objects (thread_struct, task_struct, etc.)
When gfs2_freeze_lock_shared() fails after init_threads() succeeds, the
created kernel threads (logd and quotad) are never destroyed. This
occurs because the fail_per_node label doesn't call
gfs2_destroy_threads().
Second leak: quota bitmap buffer (8192 bytes)
When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but
before other operations complete, the allocated quota bitmap is never
freed.
The fi
Bugzilla
CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
bugzilla·2026-05-22·CVSS 7.5
CVE-2026-39829 [HIGH] CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
CVE-2026-39829 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
Bugzilla
CVE-2026-29181 github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers
bugzilla·2026-04-07·CVSS 7.5
CVE-2026-29181 [HIGH] CVE-2026-29181 github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers
CVE-2026-29181 github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
2026-05-09
Published